The latest enterprise risk management news from around the world

European Parliament approves new General Data Protection Regulation rules

Details
Published: Friday, 15 April 2016 09:39

New EU data protection rules were given their final approval by MEPs on Thursday and the countdown for European-based organizations to manage the compliance risk has started. The European Parliament’s vote ends more than four years of work on a complete overhaul of EU data protection rules. The reform will replace the current data protection directive, dating back to 1995 when the Internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers.

The new rules include provisions on:

  • A right to be forgotten;
  • ‘Clear and affirmative consent’ to the processing of private data by the person concerned;
  • A right to transfer your data to another service provider;
  • The right to know when your data has been hacked;
  • Ensuring that privacy policies are explained in clear and understandable language, and
  • Stronger enforcement and fines up to 4 percent of an organization’s total worldwide annual turnover, as a deterrent to breaking the rules.

The new General Data Protection Regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date.

Member states will have two years to transpose the provisions of the directive into national law.

Due to UK and Ireland's special status regarding justice and home affairs legislation, the directive's provisions will only apply in these countries to a limited extent.

Denmark will be able to decide within six months after the final adoption of the directive whether it wants to implement it in its national law.

For European-based organizations the new regulations present an important compliance risk. The threats of non-compliance include reputation damage, and high financial costs. It is important that organizations realise that data does not just include digital data, it also includes written records.

Comments

This legislation will make it harder for businesses to keep their heads in the sand – and it will force the issue of cyber security even further up the food chain. It’s time to stop admiring the problem and to start doing something about it. There will be a huge shakedown in the IT security industry over the coming months, and only those who offer true and sustainable value will survive; because businesses will rely on the security industry to actually tackle the disease, not just deal with the symptoms.

Fraser Kyne, regional SE director at Bromium

This is a great step towards the regulation of data loss, creating a penalty for businesses who choose to not invest in proper security. As we have seen through the first half of 2016, significant data breaches have impacted over 100 million people worldwide, including affecting governments. The Netherlands set the standard by enforcing fines to businesses who were victim to data breaches and, with this now being a standard for the entire EU, will make businesses finally consider the real cost and impact of their decision to not put security as their number one consideration around their IT and Data strategy.

Alex Cruz Farmer, VP of cloud at NSFOCUS IB

The EU General Data Protection Regulation (GDPR) is a call to arms for organizations.

One of the EU's most heavily contested legislations, its controversial requirements threaten significant penalties for businesses worldwide that are non-compliant with data protection rules. 

However, it also offers hope by introducing a ‘carrot’ and ‘stick’ approach. A ‘carrot’ recommending ‘pseudonymisation’ to ensure personal information is no longer identifiable - reducing certain obligations on those who follow this approach. A ‘stick’ in the form of a threat surrounding the penalties for businesses that are non-compliant.

For many enterprises, this will mean re-architecting operations to accommodate a data-first approach. The first step will be understanding where all the data sits. The second step will require technology that has the ability to scale and protect all data. 

For many, this will require an investment in new technologies like data masking, that can pseudonymise data once and ensure all subsequent copies have the same protective policies applied. Only by taking this course of action, can organizations future proof the business from costly data breaches and ensure compliance with all elements of new and impending regulation.

Iain Chidgey, VP and general manager, International at Delphix.

Make a comment



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Root Cause Analysis
The BIA Guide

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.